Credit: CSO Staff
The year of cybercrime since our most recent US State of Cybercrime Survey has been nothing less than stunning. There were the Home Depot and JP Morgan Chase data breaches, the Sony Pictures fiasco, and most recently the devastating breach at the US Office of Personnel Management (OPM) that appears to be worse than first believed.
In the face of such a series of events, it's no surprise that cybercrime awareness has hit an all-time high. What is surprising, however, is that after years of effort and attention to information security, most organizations' ability to respond to cyberattacks have stalled. That fact is just one of the notable takeaways from our 2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies. The survey is cosponsored by PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the United States Secret Service.
According to this year's survey, the number of respondents who reported being more concerned about information security risks spiked to 76 percent, up from 59 percent in the same survey one year ago. CEOs also have taken notice, with PwC's most recent Annual Global CEO Survey revealing that 87 percent of CEOs in the US fear that cyber attacks could disrupt economic growth.
A loose alignment and dangerous lack of visibility
With information security such a pressing issue, why has there been a persistent discord between business leaders and information security teams when it comes to building more attack resilient organizations? John Johnson, global security strategist at Moline, Ill.,-based heavy equipment maker John Deere, says that more boards are, in fact, increasingly recognizing gaps in their security programs and are demanding higher visibility and maturity for security within their organizations. Despite this, however, internal challenges remain. At the top of the list is executive hierarchy and reporting structure. "The problem is, as long as security reports up through the CIO, these [security] changes may not be timely and effective," says Johnson.
"Some organizations get it and move the CISO out from under the CIO, or create a dotted line reporting structure to the CEO. Others are biding their time until they suffer a breach and then they have to truly elevate the [CISO] role," Johnson adds.
The security-business alignment is loose everywhere, or not even in place among a sizable number of respondents. This year's survey revealed that 26 percent of respondents said their CISO makes only one security presentation to their board annually, while 28 percent do not make any kind of cybersecurity presentation whatsoever.
Sign up for Computerworld eNewsletters.